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(54) CIPHERING APPARATUS 

(57) In a secret-key cryptographic device, there are 
cascade-connected a plurality of round processing 
parts and the round processing part of each i-th round 
is supplied with input data Lj and Rj, nonlinearly trans- 
forms the input data Rj in a nonlinear function part on 
the basis of extended key, then provides the exclusive 
OR between the nonlinearly transformed output and the 
input data Lj as data R^ for input into the next round 
and outputs the input data Rj as data for input into 
the next round. The nonlinear function part of each 
round comprises: a keynjependent linear transforma- 
tion part which performs a key-dependent linear trans- 
formation of the input Rj; a splitting part which splits the 
linearly transformed output to four pieces of data in 0 , 
in 1t irt2 and irv^; first nonlinear transformation parts 
which nonlinearly transform the four split pieces of data 
and output nonlinearly transformed data midoo. mid^, 
mido2 and mk^, respectively; a key-dependent linear 
transformation part which associates these transformed 
outputs with each other and, at the same time, linearly 
transforms them based on extended key to output data 
mid 10 , mjd 11t mid 12 and nrrid 13 ; second nonlinear trans- 
formation parts which nonlinearly transform these trans- 
formed outputs, respectively, and output data outo, out 1( 
out 2 and out 3 ; and a combining part which combines 
these transformed outputs into output data Y. 
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Description 
TECHNICAL FIELD 

s [0001 ] The present invention relates to an encryption device for concealing data in data communication or storage 
and, more particularly, to an encryption device of a secret-key algorithm which encrypts or decrypts data in blocks using 
a secret key. 

[0002] A typical secret-key algorithm, which is used in an encryption device to conceal data, is the DES (Data 
Encryption Standard) that is a FlPS-approved algorithm for encryption (FIPS 46-3). 

10 [0003] Fig. 1 illustrates the functional configuration of the DES. The DES uses a 56-bit secret key to encrypt or 
decrypt data in blocks of 64 bits. In Fig. 1 the encryption process begins with the initial permutation of 64 bits of a plain- 
text P in an initial perminutation part 1 1 which is followed by splitting the transformed data into two pieces of 32-bit block 
data l_o and Rq. The block data Rq is input into a function operation part (which is commonly called a round function) 12 
shown as an i-th round processing part 14j 0=0, 1, .... 15) in Fig. 2, wherein it is transformed to f(Ro, ko) using a 48-bit 

is extended key This transformed data (Rq, ko) and the block data Lq are exclusive ORed in an XOR circuit 13, and its 
output and the block data Rq are interchanged to obtain the next block data L n , R v That is, 

R^LofcFfRo.ko) (1) 

20 L 1 = R 0 

[0004] A 0-th round processing part 14q is comprises an operation part 12, an exclusive OR circuit 13 and a data 
swapping part by which two pieces of input data Lo and Rq are subjected to round processing to provide output block 
data L 1 and R 1p and similar round processing parts 14 1 to 14 15 are provided In cascade. The processing by the i-th 
25 round processing part 14j will hereinafter be referred to as i-th processing, where i=0, 15. That is, each round 
processing part 14j (Q4<. 15) performs the following processing 

R M -L^R,*,) (2) 

30 L*1= R i 

and finally combines two pieces of data R 16 and L 16 into 64-bit data, which is transformed in a final permutation part 1 5 
to provide a 64-bit ciphertext The decryption processing can be performed following the same procedure as that for the 
encryption processing except inputting extended keys ko. ^ k 14 , k 15 into a function f in the order k 15 , k 14 k 1( ko 

35 which is reverse to that in the encryption processing. In such an instance, the outputs L 16 and R 16 from the final round 
processing part 1 4 15 are further swapped as depicted, and in the decryption processing the plaintext is provided intact 
at the output of the final permutation part 15 by inputting the ciphertext into the initial permutation part 11 to subject it 
to the processing of Fig. 1 . Of course, exactly the same result could be obtained even by providing data to the final per- 
mutation part 15 without swapping the outputs of the final round processing part 14 15 . Incidentally, the extended keys 

40 ko, k 1( .... k 14l k 15 are generated by extending a 56-bit secret key to 16 46-bit extended keys with a total of 766 bits in 
an extended key generation part 16 separate of the encryption processing. 

[0005] The processing in the function operation part 12 is performed as shown in Fig. 2. To begin with, the 32-bit 
block data Rj is transformed to 46-bit data E(R 1 ) in an extended permutation part 1 7. This output data and the extended 
key kj are exclusive ORed in an XOR circuit 18, whose output is transformed to 48-bit data E(R 1 )ek 1 , which is then 

45 split to eight pieces of 6-bit sub-block data. The eight pieces of sub-block data are input into different S-boxes S 1 to Sg 
to derive therefrom a 4-bit output respectively. Incidentally, the S-box Sj 0=1. .... 8) is a nonlinear transformation table 
that transforms the 6-brt input data to the 4-bit output data and this is a part that assumes a key role essentially in pro- 
viding security for the DES. The eight pieces of output data from the S-boxes S 1 to Sg are concatenated again to 32-bit 
data, which is applied to a transpose part 1 9 to obtain an output f(R 1 , k^ of the function f which is exclusive ORed with 

so L 1 as depicted in Fig. 8. 

[0006] Next, a description will be given of cryptanalysis techniques. A wide variety of cryptanalysis techniques have 
been proposed for the DES and other tracfitional secret-key algorithms; extremely effective cryptanalysis techniques 
among them are a differential cryptanalysis technique proposed by E. Biham and A. Shamir ("Differential Cryptanalysis 
of DES-like Cryptosystems," Proceedings of CRYPTO*90) and a linear cryptanalysis technique proposed by Matsui (1m- 
55 ear Cryptanalysis (1) of DES Cryptosystem," The 1993 Symposium on Cryptography and Information Security 1993, 
SCIS93-3C). 

[0007] With the difference between two pieces of data X and X* defined as 
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AX = XeX* (3) 

the differential cryptanalysis aims to obtain the extended key k 15 in the final round by applying to the following equations 
two sets of plaint ext-ciphertext pairs that an attacker possesses. Let L 1 and Rj represent two pieces of block data for a 
5 first plaintext input into each round processing part 1 4; of Fig. 1 and and R* represent two pieces of block data for 
a second plaintext input into each round processing part 14}. And let it be assumed that ciphertexts are provided in 
response to the input of these first and second plaintexts. Under the definition of Eq. (3). it holds that 

AL, = Lj©L*j (4) 

10 

ARj =R j©R* j 

In Fig. 1, since L 15 = R 14l L* 15 = R* 14 . L 16 = R15 and L* 16 = R* 15 , the following equations hold 
15 R 16 = L 15 ©f(R 15 ,k 15 ) (5) 

R * 16 = L * 15®*(R* 15' k is) 

and the exclusive OR of both sides of these two equations is obtained as follows: 

20 

AR 16 =AL 15 ®f(L 16 ,k 15 )©f(L 16 ©AL 

16- k 15) (6) 

The exclusive ORing of its both sides with AR 14 = AL 15 gives the following equation: 

25 f(L 16 , k 15 )®f((L l6 eAL 16 ), k 15 ) =AR 16 ©AR 14 (7) 

At this time, L 16 , AL 16 and AR 16 are data available from the ciphertext, and hence they are known information. Hence, 
if the attacker can correctly obtain AR 14 , then only k 15 in the above equation becomes an unknown constant; the 
attacker can find a correct k 15 without fail by making an exhaustive search for k 15 through utilization of the known sets 
30 of plaintext-ciphertext pairs. On the other hand, AR 14 is difficult in general to obtain since this value is an intermediate 
difference value. Then, assume that the each round processing part 14j are approximated by the following equations 
with a probability Pj in each of the 0-th to the last round but one: 

ARm = ALj<BA{f(AR|)} (8) 

35 

AL k1 = AR k1 

The point is that when certain ARj is input, A{f(AR|)} can be predicted with the probability Pj regardless of the value of 
the extended key kj. The reason for which such approximations can be made is that A{f(ARj)} is affected only by the S- 

40 box part which is a nonlinear transformation table, and that according to the input differences thereto, the S-boxes pro- 
vide an extremely uneven distribution of difference outputs. For example, in the S-box S1 , an input difference "11 01 00" 
is transformed to an output difference "0010" with a probability of 1/4. Then, the approximation for each round is 
obtained by assuming that each S-box is capable of predicting the relationship between the input difference and the out- 
put difference with a probability of p 8i and by combining them. Furthermore, the concatenation of such approximations 

45 in the respective rounds makes it possible to obtain AR 14 from ALq and ARq (ALq and ARq are data derivable from the 
plaintext, and hence they are known.) with a probability of P-Ilp-,. Incidentally, the higher the probability P, the easier the 
cryptanalysis. After the extended key k 15 is thus obtained, a similar calculation is made of the extended key k 14 regard- 
ing it as a 1 5-round DES that is one round fewer than in the above; such operations are repeated to obtain the extended 
keys one by one to ko. 

so [0008] Biham et al. say that the DES could be broken by this cryptanalysis if 2 47 sets of chosen plaintext-ciphertext 
pairs are available. 

[0009] The linear cryptanalysis aims to obtain extended keys by constructing the following linear approximate 
expression and using the maximum likelihood method with sets of known plaintext-ciphertext pairs to the attacker. 

55 (L 0 ,R 0 ).r(L 0 ,R 0 )e(L 

16' R 16) 

•r(L 

16- R16) = 0*0' k v — ■ k is) * r ( k 0' k i- — » ^15) ( 9 ) 

where r(X) represents the vector that chooses a particular bit position of X, and it is called a mask value. 

[001 0] The role of the linear approximate expression is to approximately replace the cryptographic algorithm with a 
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linear expression and separate rt into a part concerning the set of plaintext and ciphertext and a part concerning the 
extended key. That is, in the set of plaintext-ciphertext pair, the exclusive ORs between the values at particular bit posi- 
tions of the plaintext and those of the ciphertext all take a f ixed value, which indicates that it equals the exclusive OR of 
the values at particular bit positions of extended keys. This means that the attacker gets information 

5 

(k 0 .ki k l5 )-r(k 0 ,k 1 k 15 ) (1 bit) 

from information 

" (L 0 . Ro)T(L 0 . R 0 )®< L 16' Rie)- r (L 16 , R 16 ). 

At this time, (Lq, Rq) and (L 16 , R 16 ) are the plaintext and the ciphertext, and hence they are known. For this reason, if 
the attacker can correctly obtain r(Lo, Rq), r(L 16 , R 16 ) and r(ko, k-,, .... k 15 ) , then he can obtain (ko, k 1( .... k 15 ) *r(ko. 
k! k 15 ) (1 bit). 

75 [001 1 ] In the DES, it is only in the S-box that the nonlinear transformation is performed; hence, if only the S-box can 
be linearly represented, the linear approximate expression can easily be constructed. Then, assume that each S-box 
Sj can be linearly represented with a probability of p^. The point here is that when the input mask value for the S-box is 
given, its output mask value can be predicted with the probability of p sj . The reason for this is that the S-boxes, which 
form a nonlinear transformation table, provide an extremely uneven distribution of difference mask values according to 

20 the input mask values. For example, in the S-box S5, when the input mask value is "010000," an output mask value 
"11 1 r is predicted with a probability of 3/16. By combining mask values in these S-boxes, a linear approximation can 
be made in each round between the input mask value and the output mask value with a probability p;, and by concate- 
nating the linear approximations in the respective rounds, r(l_o, Rq), r(L 16 , R 16 ) and r(ko, k 1( .... K15) are obtained with 
the following probability: 

25 

P = 2 n - 1 n|p l -1/2| (10) 
Here, the higher the probability P, the easier the cryptanalysis. 

[0012] According to Matsui, he has succeeded in the analysis of the DES by this cryptanalysis through utilization 
30 of 2^ sets of known plaintext-ciphertext pairs. 

[001 3] To compete against the above cryptanalysis techniques, the probability P needs only to be reduced to a suf- 
ficiently low. Accordingly, a wide variety of proposals have been made to lessen the probability P. and the easiest way 
to provide increased security in the conventional cryptosystem is to increase the number of rounds. For example, a Tri- 
ple-DES formed by a concatenation of three DESs essentially increases the number of rounds from 1 6 to 48, and it pro- 
as vides a far lower probability P than in the case of the DES. 

[0014] However, to increase the number of rounds with a view to competing against the cryptanalysis techniques 
described above inevitably enlarges the scale of the cryptographic device used and increases the amount of data to 
process as well. Fa example, if the number of rounds is tripled, the workload for encryption will also increase threefold. 
That is, since the encryption speed of the present DES is about 1 0 Mbps in the Pentium PC class, the encryption speed 
40 of the Triple-DES goes down to around 3.5 Mbps. On the other hand, networks and computers are becoming increas- 
ingly faster year by year, and hence there is also a demand for encryption devices that keep up with such speedups. 
With conventional cryptographic devices, it is extremely cfifficult, therefore, to simultaneously meet the requirements of 
speedup and security. 

[0015] The present invention is intended to obviate the abovesakJ defects of the prior art and has for its object to 
45 provide a cryptographic device that satisfies the security requirement without increasing the number of rounds. 

DISCLOSURE OF THE INVENTION 

[001 6] The present invention is characterized in that a nonlinear function part, in particular, is provided with: a key- 
so dependent linear transformation part which linearly transforms input data of the nonlinear function part based on key 
data stored in a key storage part; a splitting part which splits the output data of the key-dependent linear transformation 
part to a plurality of bits strings; first nonlinear transformation parts which nonlinearty transform these split bit strings, 
respectively; a first linear transformation part which linearly transforms the respective output bits strings of the first non- 
linear transformation parts in association with each other; second nonlinear transformation parts which nonlinearty 
55 transform some or all of the output bit strings of the first linear transformation part; and a combining part which com- 
bines the output bit strings of the second nonlinear transformation parts into output data of the nonlinear function part. 
[001 7] To provide increased security, the invention is characterized by a second linear transformation part which lin- 
early transforms the output data of the combining part to the output data of the nonlinear function part 
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[0018] Furthermore, the invention is characterized in thai either one or both of the first and second linear transfor- 
mation parts are key-dependent linear transformation parts which linearly transform the input data thereto based on key 
data stored in the key storage part 

[0019] According to the present invention, it is guaranteed that when the probability in the S-boxes is Psj <, ft, <1 
5 (where P b is the maximum differential or linear probability in the S-boxes), the probability of approximating each round 
is Pi ^ P b 2 (when the input difference to the function f is not 0 in the case of the differential cryptanalysis, and when the 
output mask value from the function f is not 0 in the case of the linear cryptanalysis). And when the function f is bijective 
(in which case a different input always provides a different output), if the number of rounds of the cipher is set at 3m, 
then the probability of the cipher becomes P <, Pj 2m <, pt, 4 " 1 . In general, cipher are regarded as being secure against the 
io differential and linear cryptanalysis schemes if P < 2 -64 ; hence, it is necessary only to satisfy m >-16/{log 2 (Pt>)} • and 
if pt> <> 2" 4 , it is possible to ensure security with a smaller number of rounds than 16 rounds needed in the DES. The 
probability of security changes for each multiple of m rounds. 

[0020] The present invention ensures security against the differential and linear cryptanalysis with a relatively small 
number of rounds, and hence it permits implementation of a cryptographic device which copes with both security and 
is low workload. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0021] 

20 

Fig. 1 is diagram depicting the functional configuration of a conventional DES cryptographic device. 
Fig. 2 is a diagram depicting a concrete functional configuration of an f-functional calculus part 12 in Fig. 1 . 
Fig. 3 is a diagram illustrating the functional configuration of Embodiment 1 of the present invention. 
Fig. 4 is a diagram showing in detail an example of the functional configuration of a nonlinear function part 304 in 
25 Embodiment 1. 

Fig. 5 is a diagram depicting a concrete example of a key-dependent linear transformation part 347 in Fig. 4. 
Fig. 6 is a diagram illustrating the functional configuration of Embodiment 2 of the present invention. 
Fig. 7A is a diagram showing in detail the functional configuration of a nonlinear function part 304 in Embocfiment 2. 
Fig. 7B is a diagram showing a concrete example of a linear transformation part 354 in the nonlinear function part 
30 304. 

Fig. 8 is a diagram illustrating the functional configuration of Embodiment 3 of the present invention. 

Fig. 9 is a diagram showing in detail the functional conf iguration of a nonlinear function part 304 in Embodiment 3. 

BEST MODE FOR CARRYING OUT THE INVENTION 

35 

EMBODIMENT 1 

[0022] An embodiment of the present invention will be described below with reference to the accompanying draw- 
ings. 

40 [0023] Pig. 3 depicts the functional configuration for an encryption procedure in the cryptographic device according 
to an embodiment of the present invention. The cryptographic device of the present invention also splits input data to 
two pieces of block data Lq and Rq and subjects them to round processing by n cascade-connected round processing 
parts 38o to 38^ in a sequential order; each round processing part 38j (i=0, 1 n-1) is made up of a nonlinear func- 
tion part 304 corresponding to the round function part 12 in Fig. 1 , a linear operation part 305 corresponding to the XOR 

45 circuit 13 in Fig. 1 and a swapping part 306. 

[0024] Input data P, which corresponds to a plaintext, is entered into the cryptographic device via an input part 301 . 
The following key data is generated in advance by a extended key generation part 321 on the basis of the data input 
thereto from a key input part 320 and stored in a key storage part 322. 

50 {fk; koo, k 10 , ; k 01 , k 11f k 21 ;...; k 0 ^ l>1 ^ , k 1 ^ n _ 1 j , k^i) ; ek} 

The input plaintext data P is transformed in a key-dependent initial linear transformation part 302 with the extend key fk 
stored in the key storage part 322, thereafter being split in an initial splitting part 303 to two pieces of block data Lq and 
Rq. For example, 64-bit data is split to two pieces of 32-bit block data Lq and Rq- The block data Rq is input to the non- 
55 linear function part 304 of the 0-th round processing part 38q, together with the extended key koo, k io and l<2o stored in 
the key storage part 322, and in the nonlinear function part it is transformed to data Y 0 . The data Y 0 and the block data 
Lq are transformed to data Lq* through an operation in the linear operation part 305. The data Lq* and the block data 
Ro are subjected to data-position swapping in the swapping part 306 toprovideL 1 = R 0 and R 1 =L 0 *;L 1 and R t are 
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fed to the next first round processing part 38 1 . 

[0025] Thereafter, in an i-th round processing part 38; (i=1, .... n-1) the same processing as described above is 
repeated for two pieces of block data Lj and Rj. That is, in the i-th round processing part 38; the data Rj, one of the two 
pieces of block data Lj and Rj, is input into the nonlinear function part 304, together with the extended key koj, k Vl and 
5 k 2 j stored in the key storage part 322, and in the nonlinear function part 304 it is transformed to data Yj. The data Y s and 
the block data Lj are transformed to data Lj* by an operation in the linear operation part 305. Trie data Lj* and the data 
Rj are swapped in data position in the swapping pari 306 to L w = R f and R^ = Lj*. The linear operation part 305 is 
one that performs, for instance, an exclusive-OR operation. 

[0026] Letting n represent the repeat count suitable to ensure security of the cryptosystem, two pieces of data !_„ 
w and R n are obtained as the result of such repeated processing by the round processing parts 38q to 38^ . These pieces 
of data l_n and R n are combined into a single piece of block data in a final combining part 307; for example, two pieces 
of 32-bit data Lp and Rn are combined to 64-bit data. Then the thus combined data is transformed in a key-dependent 
final linear transformation part 308 using the extended key ek stored in the key storage part 322, and output data C is 
provided as a ciphertext from an output part 309. 
is [0027] To decrypt, the encryption procedure needs only to be reversed, by which the plaintext P can be derived 
from the ciphertext C. This can be done, for example, by inputting ciphertext data in place of the input data in Fig. 3 and 
then inputting the extended key in a sequential order reverse to that in Fig. 3, that is, ek, ko(n-i). k^p.^, I<2(n-i), ■», ken. 
kn , k2i, koo. kio» k 2 i,f|<- 

[0028] Fig. 4 illustrates the functional configuration of the nonlinear function part 304 used in each round process- 

20 ing part 38j. The block data Rj to the i-th round processing part 38j constitutes input data to the nonlinear function part 
304, together with the extended key koj, k 1 ; and k^ stored in the key storage part 322. The block data Rj is linearly trans- 
formed to data Rj* in a key-dependent linear transformation part 341 using the extended key ko;. The data Rj* is splitting, 
for instance, to four pieces of 8-bit data in 0 , in-j, ir^ and irvj in a splitting part 342. The four pieces of data inn. in 1p tr^ 
and irvj are nonlinearly transformed to four pieces of data rrddoo, mid 01l mid^ and mido3 ' n nonlinear transformation 

25 parts 343, 344, 345 and 346, respectively, from which they are input to a key-dependen t linear transformation part 347. 
[0029] The key-dependent linear transformation part 347 is made up of four processing routes 30 0 to 30 3 each of 
which contains at least one exclusive OR circuit as depicted in Fig. 5; these processing routes are logically combined 
by those exclusive OR circuits. Each processing route performs a linear operation (an exclusive-OR operation) of its 
own data with those of the other processing routes to generate uniformed pieces of data in the respective processing 

30 routes; in the example of Fig. 5, they are further linearly processed by extended key k 1j( That is, the pieces of data 
midoo, midoi* m K*Q2 and mid 03 are fed into the processing routes 30 0 to 3O3, respectively. In the processing route 30i 
the pieces of input data midoo and mid 01 are exclusive ORed by an XOR 31 n , and in the processing route 30 2 the pieces 
of input data mid 0 2 and mid^ are exclusive ORed by an XOR 31 2 . and the outputs from the XOR 31 1 and the XOR 31 2 
are exclusive ORed by an XOR 32 2 . The outputs from the XOR 31 1 and the XOR 32 2 are exclusive ORed by an XOR 

35 33 1t then the output from the XOR 33 1 and the input data midoo are exclusive ORed by an XOR 34q, and the output 
from the XOR 32 2 and the input data mido3 are exclusive ORed by an XOR 343. Furthermore, the outputs from the 
XORs 34o, 33 1p 32 2 and 343 and extended key k 1j0 , k 1i1a k 1i2 and k 1i3 are exclusive ORed by XORS 35q to 353, from 
which rrud 10 . mid 11p mid 01 and mid 13 are output respectively. That is, the input data midoo* m *doi. midce and mid^ to 
the processing routes 30 0 to 30 3 are associated with one another and then undergo linear transformations which are 

40 dependent on the key data k 1i0 , kj ;i , k 1i2 and k r #. respectively. In short, logical operations given by the following logical 
expressions are performed. 

mid 10 = mid ^©mid 02 e mid 03©k 1j0 (1 1) 

45 mid ^ = mid 02 ©mid 03 ©k 1M 

mid 12 = mid 00 ©mid 01 ©mid ^ ©mid ^©kl e 
mid-,3 =rrud 00 ©rnid 01 ©mid 0 2©k 1i 3 

50 

As is evident from these expressions, the output from each processing route of the key-dependent linear transformation 
part 34 contains input data of at least two or more other routes in the form of exclusive ORs in this example, and accord- 
ingly the output data of each route is so uniformed as to contain two or more components of the four pieces of input 
data. 

55 [0030] These pieces of output data rrud 10 , rrrid^, mid 12 and mid 13 are noniinearty transformed to corresponding 
pieces of data outn, out 1( out 2 and out 3 in nonlinear transformation parts 348, 349, 350 and 351, respectively, and the 
pieces of data are provided as output data from the respective processing routes to a combining part 352, wherein they 
are combined into a single piece of block data Yj*. That is, for example, four pieces of 8-bit data are combined into one 
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piece of 32 -bit data. The data Yj* is linearly transformed by extended key to data Yj in a key-dependent linear trans- 
formation part 353; thus, the output data Yj from the nonlinear function part 304 is generated. The nonlinear transfor- 
mation parts 343 to 346 and 348 to 351 are similar, for instance, to the S-bax in the DES, and they are each formed, for 
example, by a ROM whose output data differs with the input data thereto. 
5 [0031] The four nonlinear transformation parts 343 to 346 are arranged in parallel and their transformation proc- 
esses are not associated with one another, and hence they can be executed in parallel; accordingly, an increase in the 
processing time by increasing the number of such nonlinear transformation parts can be deal with by the parallel 
processing thereof. The same is true of the nonlinear transformation parts 348 to 351 . 

[0032] The time necessary for processing in the linear operation part 305 (Fig. 3) and the key-dependent linear 
10 transformation parts 341 , 347 and 353 (Fig. 4), which constitute each round processing part 38 jt is appreciably shorter 
than the time required to perform processing of the nonlinear transformation parts 343 to 345 and 348 to 351 similar to 
the S-box; therefore, the time necessary for encryption processing is substantially in proportion to the number of S- 
boxes or nonlinear transformation parts used. However, since the key-dependent linear transformation part 347 renders 
plural pieces of input data into uniformed outputs as described previously, it is possible to omit one or more of the non- 
75 linear transformation parts 348 to 351 and input the corresponding pieces of data into the combining part 352 when it 
is prekncwn that the key-dependent linear transformation part 347 performs such a particular linear transformation as 
described above with reference to Fig. 5. This can be done without diminishing the security against the differential and 
linear cryptanalysis, and the workload for encryption can be reduced by the number of nonlinear transformation parts 
thus omitted. For example, when the key-dependent linear transformation part 347 is such as shown in Fig. 5, even if 
20 the nonlinear transformation parts 349 and 350 are omitted and the pieces of data mkJ^ and mid 12 are fed intact into 
the combining part 352, the security against the differential and linear cryptanalysis remains unchanged but the encryp- 
tion speed increases about 33%. In other words, when the operation of the key-dependent linear transformation part 
347 is predetermined, the presence of one or more of the nonlinear transformation parts 348 to 351 may sometimes 
has nothing to do with the security against the differential and linear cryptanalysis, in which case they can be omitted. 
25 [0033] Incidentally, in Fig. 3 the generation of the extended key {fk, koo. k 10 , k 20 , koi. k 11( ko (rv1 ), k 1(n . 1)( k 2 ( n . 1 ), 
ek) by the extended key generation part 321 can be done in the same manner as in the extended key generating part 
16 for the DES in Fig. 1. 

[0034] ff the above cryptographic device is designed so that, for example, the nonlinear transformation parts 343 to 
346 and 348 to 351 are each approximated with a probability of Pb - 2" 6 by the differential and linear cryptanalysis tech- 

30 niques and that each round processing part 38; performs the nonlinear transformation twice, that is, performs in tandem 
the processing by the transformation parts 343 to 346 and the processing by the transformation parts 348 to 351 , each 
round is approximated with a probability of Pj £ 2" 12 ; setting the number n of rounds at n = 3m, the round processing of 
the entire cryptographic device is approximated with a probability of 2" 24rT1 . For example, if m = 4 (the number of 
rounds: 12), the probability becomes P <. 2~ 96 , which satisfies a security condition P < 2" 64 with a smaller number of 

35 rounds than that 1 6 of the DES, providing a cryptographic device with a sufficiently high level of security against the dif- 
ferential and linear cryptanalysis. That is, according to the present invention, the security against cryptanalysis can be 
increased by configuring the round function 12 (Fig. 1) to perform the nonlinear transformation twice in succession. 
[0035] Since the key-dependent initial linear transformation part 302, the key-dependent final linear transformation 
part 308 and the key-dependent linear transformation parts 347 and 353 are linear transformation parts that are 

40 dependent on extended keys, they provide sufficient security against other cryptanalysis as well as the differential and 
linear cryptanalysis, ensuring the implementation of a cryptographic device that attaches prime importance on security. 
[0036] The present invention is not limited specifically to this embodiment; for example, if it is desirable to speed up 
encryption, it is possible to omit any one or all of these key-dependent initial linear transformation part 302, the key- 
dependent final linear transformation part 308 and the key-dependent linear transformation part 353 as in the embodi- 

45 ment described later on. In this instance, the security against the differential and linear cryptanalysis will not be dimin- 
ished on the one hand, but on the other band the processing speed for encryption can be increased corresponding to 
the number of operations omitted. But there is a fear of providing decreased security against the other cryptanalysis. 
Alternatively, any one or all of the key-dependent initial linear transformation part 302, the key-dependent final transfor- 
mation part 308 and the key-dependent linear transformation parts 347 and 353 may be modified to key-independent 

so linear transformation parts. This will not diminish the security against the other cryptanalysis as well as the differential 
and linear cryptanalysis, and makes it possible to increase the processing speed for encryption by implement optimiza- 
tion. The linear transformation parts each perform a transposition of swapping bit positions of input data in a predeter- 
mined relationship, a rotation of the input data by a predetermined number of bits, and so forth. The key-dependent 
linear transformation parts each perform a rotation by the number of bits corresponding to the extended key, an exdu- 

55 sive OR of the input data and the extended key, and so on. 



7 



EP 1001 398 A1 



EMBODIMENT! 2 

[0037] Fig. 6 illustrates an embodiment which omits middle two of the second four nonlinear transformation parts 
348 to 351 in the nonlinear function part 304 (Fig. 4) of the first embodiment shown in Fig. 3. In this embodiment there 
5 are also omitted the key-dependent initial linear transformation part 302 and the key-dependent final linear transforma- 
tion part 308. 

[0038] The input data P equivalent to a plaintext is input into the cryptographic device via the input part 301 . The 
input data P is split to two pieces of block data Lq and Rq in the initial splitting part 303. The block data Rq is input to the 
nonlinear function part 304 of the 0-th round processing part 38q, together with the extended key ko 0 and k^ stored in 

io the key storage part 322, wherein it is transformed to data Y 0 through transformation processing. The data Y 0 and the 
data Lq are transformed to data Lq* by an operation in the linear operation part 305. The data Lq* and the data Rq are 
subjected to data -position swapping in the swapping part 306 to provide L 1 = R 0 and R 1 = L 0 * . Thereafter, in the i- 
th round processing part 38j (i=1, rt-1) the same processing as described above is repeated for the two pieces of 
data Lj and Rj. That is, the data Rj, one of the two pieces of data Lj and Rj, is input into the nonlinear function part 304, 

75 together with the extended key koj and k^ stored in the key storage part 322, and in the nonlinear function part 304 it is 
transformed to data Yj. The data Yj and the data Lj are transformed to data Lj* by an operation in the linear operation 
part 305. The data Lj* and the data Rj are swapped in data position in the swapping part 306 for transformation to 
L^R.andR^L,*. 

[0039] Letting n represent the repeat count suitable to ensure security of the cryptosystem, two pieces of data Ln 
20 and R n are obtained by such n repeated rounds of processing. These pieces of data and R n are combined in the final 
combining part 307, and the combined output is provided to the output part 309. from which the output data C is output 
as the ciphertext. 

[0040] To decrypt, the encryption procedure needs only to be reversed, by which the plaintext P can be derived 
from the ciphertext C. 

25 [0041 ] Fig. 7A illustrates the functional configuration of the nonlinear function part 304 of the i-th round processing 
part 38; in the Fig. 6. The data Rj from the preceding round processing part constitutes input data to the nonlinear func- 
tion part 304, together with the extended key ko; and kg stored in the key storage part 322. The data Rj is linearly trans- 
formed to data Rj* in the key-dependent linear transformation part 341 using the extended key koj. Then the data Rj* is 
split to four pieces of data ity, in 1( in? and ir>3 in the splitting part 342. The four pieces of data irto, in 1t in 2 and in 3 are 

30 nonlineany transformed to four pieces of data mtdo 0 * mid oi . midra and mido3 in the nonlinear transformation parts 343, 
344, 345 and 346, respectively, from which they are input to a linear transformation part 354. In the linear transformation 
part 354 the four pieces of input data are transformed so that they are mutually associated between the four processing 
routes 30 0 to 30 3 as depicted in Fig. 7B. This is the same example as in the case of omitting the logical operation with 
the extended key in Fig. 5 and can be given by the following expressions. 

35 

mid 10 = mid oo® mW 02® 03 (12) 

mid = mid Q2 ©mid Q3 

40 mid 12 = mid oo ©mid 01 ©mid 02 ©mid 03 

mid 1 3 =mid 00 ©mid 01 ©mid 02 

[0042] By this linear transformation, uniformed data mid 10 , mid 1 1 , mid 12 and mid 13 are generated, and two pieces 
45 of data mid 10 and rrrid 13 are nonlinearly transformed to data outo and out 3 in the nonlinear transformation parts 348 and 
351, respectively, after which the four pieces of data outo, rrrid^, mid 12 and out 3 are combined into a single piece of 
data Yj* in the combining part 352. Finally, the data Yj* is linearly transformed to the data Yj in the key-dependent linear 
transformation part 353 using the extended key k 2i , by which the output data Yj from the nonlinear function part 304 is 
generated. 

so [0043] The nonlinear transformation parts 343 to 346 are arranged in parallel and their transformation processes 
are not associated with one another, and hence they can be executed in parallel. The same goes for the nonlinear trans- 
formation parts 348 and 351 . In this embodiment since the number of second nonlinear transformations in each non- 
linear function part 304 is reduced to the outer two (348 and 351) alone, the workload for encryption of decryption can 
be decreased accord ngly. 

55 [0044] Incidentally, the extended key kj is data transformed in the extended key generation part 321 from the secret 
key Key input into the cryptographic device via the key input part 320 and stored in the key storage part 322. 
[0045] In the case of the above cryptographic device, for example, if the nonlinear transformation parts 343 to 346, 
348 and 351 are designed to provide an approximate representation with the probability of p b = 2" 6 against the differ- 
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ential and linear cryptanalysis, each round processing part can provide an approximate representation with the same 
probability of Pj <, 2~ 12 as in Embodiment 1 ; setting the number n of rounds at n = 3m, the cryptographic device provides 
an approximate representation with the probability of P <, 2" 24m as a whole. For example, rf m = 4 (the number of rounds: 
12), the probability becomes P £ 2" 96 , ensuring a sufficiently high level of security against the differential and linear 
5 cryptanalysis. 

[0046] Moreover, the presence of the key-dependent linear transformation part 353 provides a margin of security 
against other cryptanalysis than the differential and linear cryptanalysis, and the simplified configuration as compared 
with that of Embodiment 1 reduces the workload. That is, the cryptographic device of this embodiment places impor- 
tance on the balance between security and reduced workload. 

w 

EMBODIMENT 3 

[0047] Fig. 8 illustrates an embodiment which omits the key-dependent linear transformation part 353 in the nonlin- 
ear function part 304 of the second embodiment depicted in Fig. 6. The input data P equivalent to a plaintext is input 

is into the cryptographic device via the input part 301 . The input data P is split to two pieces of block data Lq and R 0 in the 
initial splitting part 303. The block data Rq is input to the nonlinear function part 304 of the 0-th round processing part 
38q, together with extended key ko stored in the key storage part 322, wherein it is transformed to data Y 0 through trans- 
formation processing. The data Y 0 and the data Lq are transformed to data Lq* by an operation in the linear operation 
part 305. The data Lq* and the data Rq are subjected to data-position swapping in the swapping part 306 for transfor- 

20 mation to L 1 = R 0 and R 1 = L 0 * . Thereafter, in the i-th round processing part 38; the same processing as described 
above is repeated for the two pieces of data Lj and Rj. That is, the data Rj, one of the two pieces of data Lj and Rj, is 
input into the nonlinear function part 304, together with extended key lq stored in the key storage part 322, and in the 
nonlinear function part 304 it is transformed to data Yj. The data Yj and the data L, are transformed to data Lj* by an 
operation in the linear operation part 305. The data Lj* and the data Rj are swapped in data position in the swapping 

25 part 306 for transformation to L k1 = R, and R k1 = L j* , and two pieces of block data and R i+1 are output. 

[0048] Letting n represent the repeat count suitable to ensure security of the cryptosystem, two pieces of data L„ 
and R n are obtained by such n repeated rounds of processing. These pieces of data Lp and Rp are combined in the final 
combining part 307, and the combined output is provided to the output part 309, from which the output data C is output 
as the ciphertext. 

30 [0049] The ciphertext C can be deciphered to the plaintext P by following the encryption procedure in reverse. 
[0050] Fig. 9 illustrates the functional configuration of the nonlinear function part 304 in the Fig. 8. The data Rj to 
the nonlinear function part 304 is fed to the key-dependent linear transformation part 341, together with the extended 
key kj stored in the key storage part 322. The data Rj is linearly transformed to data Rj* in the key-dependent linear 
transformation part 341 using the extended key kj. Then the data Rj* is split to four pieces of data inn, in 1 , in 2 and ir»3 in 

35 the splitting part 342. The four pieces of data inn, in^ ina and irvj are nonlinearty transformed to four pieces of data 
midoo, midoi, mido2 and mido3 in the nonlinear transformation parts 343, 344, 345 and 346, respectively, from which 
they are input to the linear transformation part 354. The linear transformation part 354 linearly transforms them to the 
following pieces of data mid 10 , mid 1 1t rrud 12 and mjd 13 , for example, in the same manner as described above with ref- 
erence to Fig. 7B in Embodiment 2. 

40 

mid 10 = mid 00 ©mid 0 2©mid 0 3 (13) 

mid u = mid Q2 ©mid 03 

45 mid 12 = mid ^©mid 01 ©mid (^©mid 03 

mid 13 = mid ^©mid 01 ©mid & 

Then the two pieces of data mid 10 and mjd 13 are nonli nearly transformed to data outo and out3 in the nonlinear trarts- 
50 formation parts 348 and 351 , respectively, after which the four pieces of data 01% mid 1 1 , mid 12 and out 3 are combined 
into a single piece of data in the combining part 352, by which the output data Yj from the nonlinear function pan 304 is 
generated. 

[0051] The nonlinear transformation parts 343 to 346 are arranged in parallel and their transformation processes 
are not associated with one another, and hence they can be executed in parallel. The same goes for the nonlinear trans- 
55 formation parts 348 and 351. 

[0052] Incidentally, the extended key kj is data transformed in the extended key generation part 321 from the secret 

key Key input into the cryptographic device via the key input part 320 and stored in the key storage part 322. 

[0053] In the case of the above cryptographic device, for example, rf the nonlinear transformation parts 343 to 346, 
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348 and 351 are designed to provide an approximate representation with the probability of Pb = 2" 6 against the differ- 
ential and linear cryptanalysis, each round processing part can provide an approximate representation with the proba- 
bility of Pj <, 2~ 12 ; setting the number n of rounds at n = 3m, the cryptographic device provides an approximate 
representation with the probability of P <. 2' 24m as a whole. For example, if m =4 (the number of rounds: 12), the prob- 
5 ability becomes P <, 2~ 96 , ensuring a sufficiently high level of security against the differential and linear cryptanalysis. 
[0054] Moreover, since the cryptographic device of this embodiment has a configuration that includes the minimum 
number of parts required to provide a sufficient level of security against the differential and linear cryptanalysis, the 
workload is reduced and the encryption or decryption speed is improved accordingly. 

[0055] In the above, the splitting part 342 in the nonlinear function part 304 needs not always to split the input data 
10 into four but may also split it to an arbitrary number of pieces. In the case splitting the data into four, the number of sec- 
ond nonlinear transformation parts may be reduced to only two as depicted in Figs. 7A and 9. 
[0056] In the following table there are shown, in comparison with the case of the DES of Figs. 1 and 2, the security 
level per round, the number of rounds satisfying the security requirement and the workload (the number of steps) nec- 
essary therefor in the case of using six nonlinear transformation parts (343 to 346, 348, 351) in the nonlinear function 
is part 304 (a round function) depicted in the second and third embodiments described above. In the comparison, the 
embodiments of the present invention used a total of 32 bits for the data to the nonlinear transformation parts 343 to 
346 which correspond to the S-boxes of the DES, and hence the data to each nonlinear transformation part was 8-bit; 
therefore, the size of each S-box was made 8-bit and consequently, the number of S-boxes was four. 

20 



Comparative Table 




No. of S-boxes per round 


Security level per round 


Required No. of rounds 


No. of steps 


DES 


4 


2 -6 


17 


68 


This invention 


6 


2-12 


9 


54 



[0057] As will be seen from this table, the number of S-boxes (the number of nonlinear transformation parts) per 
30 round in the present invention is larger than in the DES, but the security level per round in the present invention is twice 
that of the DES. On this account the number of rounds required to meet the security requirement is smaller than in the 
case of DES, and the workload (the number of steps) necessary for providing the security is also smaller. 

EFFECT OF THE INVENTION 

35 

[0058] As described above in detail, according to the present invention, the input data is split to plural pieces of data 
in the nonlinear function part then these pieces of data are nonlinearty transformed and linearly transformed in asso- 
ciation with each other, and at lease one part of such linearly transformed data is nonlinearty transformed, by which it 
is possible to provide a highly secure cryptographic device for concealing data in data communication or storage. 

40 

Claims 

1 . A cryptographic device which encrypts input data by sequentially processing it by a plurality of round processing 
which nonlinearty transforms it using extended key, comprising: 

45 

an initial splitting part which splits the input data to two pieces of block data; 
a key storage part for storing extended key; 

a plurality of cascade-connected round processing parts which are supplied with said two pieces of block data 
and sequentially process them using said extended key; and 
so a final combining part which combines two pieces of block data output from the last round of said plurality of 

cascade-connected round processing parts into a single piece of data and outputs it; 
wherein each of said plurality of round processing part comprises: 

a nonlinear function part which transforms one of two pieces of block data input thereto from the preceding 
stage, depending on extended key stored in said key storage part; 
55 a linear operation part which linearly operates the output data from said nonlinear function part and the other 

of said two pieces of block data; and 

a swapping part which swaps the output data from said linear operation part and the input block data to said 
nonlinear function part and provides the two pieces of swapped data as two pieces of input block data to said 
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round processing part of the next round; and 
wherein said nonlinear function part comprises: 

a key-dependent linear transformation part which linearly transforms input data based on extended key stored 
in said key storage part to thereby generate transformed data; 
5 a splitting part which splits the transformed data from said key-dependent linear transformation part to a plu- 

rality of bit strings; 

a plurality of first nonlinear transformation parts which nonlinear ly transform these bit strings, respectively, and 
output transformed data; 

a first linear transformation part which linearly transforms the transformed data from said plurality of first non- 
10 linear transformation parts in association with each other and outputs a plurality of pieces of uniformed data to 

a plurality of routes, respectively; 

a second nonlinear transformation part provided in at least one of said plurality of routes, for nonlineariy trans- 
forming said uniformed data from the corresponding one of said first linear transformation parts, and for out- 
putting the transformed data as data of that route; and 
15 a final combining part which combines data from said plurality of routes into output data of said nonlinear func- 

tion part 

2. The cryptographic device of claim 1 , wherein said first linear transformation part comprises a key-dependent linear 
operation part which linearly transforms said plurality of pieces of uniformed data based on extended key stored in 

20 said key storage part and outputs the plurality of transformed data as data of said plurality of routes. 

3. The cryptographic device of claim 1 or 2, wherein there is provided a second linear transformation part which line- 
arly transforms the output data from said combining part to provide the output data of said nonlinear function part 

25 4. The cryptographic device of claim 3, wherein said second linear transformation part is a linear transformation part 
which performs a linear transformation based on extended key stored in said key storage part 

5. The cryptographic device of claim 4, wherein said first linear transformation part comprises at least one exclusive 
OR circuit provided in each of said plurality of routes, for outputting said uniformed data to said each route by an 

30 exdusive-OR operation of data of said each route and data of other routes. 

6. The cryptographic device of any one of claims 1 through 5, wherein there is provided an initial linear transformation 
part which linearly transforms said input data and supplies it to said initial splitting part. 

35 7. The cryptographic device of claim 6, wherein said initial linear transformation part is a transformation part which 
performs a linear transformation based on extended key stored in said key storage part. 

8. The cryptographic device of any one of claims 1 through 7, wherein there is provided a final linear transformation 
part which linearly transforms the output data of said final combining part to provide it as the output of said crypto- 

40 graphic device. 

9. The cryptographic device of claim 8, wherein said final linear transformation part is a transformation part which per- 
forms a linear transformation based on extended key stored in said key storage part. 

45 10. The cryptographic device of arty one of claims 1 through 9, wherein said plurality of routes are first; second, third 
and fourth routes arranged in this order. 

1 1 . The cryptographic device of claim 1 0, wherein said second nonlinear transformation part is provided in each of said 
four routes. 

so 

1 2. The cryptographic device of daim 1 0, wherein said second nonlinear transformation part is provided in each of said 
first and fourth routes. 

13. The cryptographic device of claim 12, wherein said first linear transformation part comprises: 

55 

a first exclusive OR drcuit provided in said second route, for carrying out the exdusive-OR between data of 
said first route and data of said second route; 

a second exdusive-OR drcuit provided in said third route, for carrying out the exdusive OR between data of 
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said fourth route and data of said third route; 

a third exclusive-OR circuit provided in said third route, for carrying out the exclusive OR between the output 
of said second exclusive-OR circuit and the output of said first exclusive-OR circuit; 
a fourth exclusive-OR circuit provided in said second route, for carrying out the exclusive OR between the out- 
put of said first exclusive-OR circuit and the output of said third exclusive-OR circuit 
a fifth exclusive-OR circuit provided in said first route, for carrying out the exclusive OR between the data of 
said first route and the output of said fourth exclusive-OR circuit; and 

a sixth exclusive-OR circuit provided in said fourth route, for carrying out the exclusive OR between the data of 
said fourth route and the output of said third exclusive-OR circuit 
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